Web Application Security
Biff Tannen: I can’t believe you’d loan me your car without telling me it had a blind spot. I could’ve been killed!
George McFly: Blind spot? Now, now, Biff, now I never noticed that the car had any blind spot before when I would drive it.
– Back To The Future
It’s not just your car that has a blind spot. Life is full of blind spots.
One potential blind spot you certainly don’t want to leave unchecked is the security of your website or web application.
Security is a high priority concern for any application that’s on the web. There are several common types of security vulnerabilities that are often targeted. Attackers may have a variety of motives for their attacks which include profit, curiosity, revenge/disgruntlement, and even various political ideologies. Fortunately, there are also several solid strategies for preventing these attacks.
Providing customers with reliable website security begins by analyzing various points of vulnerability, collectively called the attack surface, and systematically addressing each point or attack vector. Attack vectors include, but are not limited to:
- The database
- Uploaded files
- Browser cookies
- Browser scripting language
Minimizing the amount of information obtainable on a website, and about a website’s internals (e.g. technologies, paths, addresses, defense strategies, etc.) further helps reduce the attack surface in many cases.
There are a number of concerns that need to be addressed. I’ll cover some of them here…
The first line of defense that website users are typically confronted with are the login credentials, that is to say… user-name and password. These credentials need to be presented in a manner that prevents would-be attackers from guessing them. Strategies include providing minimal failure feedback, and locking out users, or even locking out source IP addresses, after a certain number of failed login attempts. Password complexity requirements can greatly reduce the potential for unauthorized access.
At Collective Data, we use state of the art encryption libraries for encrypting sensitive data. We provide minimal failure feedback. The password strength and lockout parameters are configurable to allow you to set the level of desired security.
2) The Database – SQL Injection Attacks
A common type of attack on a web site is called a SQL Injection attack. This type of attack is often used to attempt to retrieve unauthorized data from the database. An attacker attempts to “inject” malicious database commands into various fields of the web application, in an attempt to get them to execute and dump some database contents back to the browser.
At Collective Data, we employ several defenses against such attacks. Parameter statements, database permissions, and escaping to name a few. These techniques help to ensure that your data is protected against SQL injection attacks.
3) Scripting – Cross Site Scripting Attacks
Cross site scripting attacks are an attempt to inject client side script into a web application. This is typically done in order to deliver malicious script from the hacked website to the user’s browser. Prevention includes escaping user input, and not inserting untrusted script into a web page output.
4) Protecting Sensitive Data
When sensitive data, like passwords and users personal information, is stored, it must be encrypted. When data is logged, personal data must not be logged. When passwords are displayed, they must be masked in password input fields.
5) Data Visibility – Logging and Storage
Sensitive data must not be present in log files, unless encrypted, and the software must store passwords, and other sensitive data in the database, in an encrypted form.
6) Role Based Visibility
In the Collective Data software, views, fields, and other objects, can be hidden from any user based on their user type role. This provides a level of security that reduces the attack surface by limiting the type of information that any given user can see.
7) Server Access Restriction
Another important area to consider is restricting access to servers. This will include Firewalls (limiting open ports), Network Permissions, and network segmentation. These are techniques typically configured by your IT team or network administrator.
8) Viruses and Malware
No discussion on security would be complete without mentioning the obvious threat of viruses and malware. To be sure, security starts with installing current and updatable anti-virus and anti-malware protection software. There are lots to choose from. Many offer freeware versions that can be upgraded to professional versions. Look for solutions that include internet protection options. There are a number of websites that offer reviews and comparisons.
At Collective Data, we take web security very seriously. We minimize the attack surface by reducing the number of attack vectors, restricting the information available to various users by role, and by other techniques including proper authentication and encryption. By minimizing the attack surface, we hope to provide our customers with the best possible web application security.